Guest
Filling SoA justification
I have a question about control A.12.6.1 handling of technical vulnerabilities (inside the SoA table). In the column „reason for selection / exclusion“ I could basically enter almost any risk from the risk assessment table. Cause a lot of risks are based on technical things. I'm guessing that's not the way to go(?) For some other controls out of this table I have chosen general statements as the "reason for selection / exclusion“ without mentioning the concrete risks out of the risk assessment table. Would that make sense with control A 12.6.1, too?
Assign topic to the user
Expert
Rhand Leal
Sep 09, 2019
Answer:
In fact entering the whole risks from the risk treatment table in the SoA is not the best way to justify applicable controls. What you can do is to include only the risk ID of the risks related to control A.12.6.1, according to your Risk treatment table. For example, you could write "Risk 001, 003, and 023 ".
Comment as guest or Sign in
Sep 09, 2019
Sep 09, 2019
Sep 09, 2019